News briefs June 2015

»The Federal Communications Commission levied a $25 million fine – its largest ever for an information security and privacy concern – against AT&T as part of a settlement over data breaches at its call centers. According to the FCC, breaches at AT&T call centers in Colombia, the Philippines and Mexico in 2013 and 2014 disclosed names and full or partial Social Security numbers of 280,000 AT&T customers and led to unauthorized access of protected account information. Call center workers then allegedly used that information to obtain codes to unlock handsets of AT&T phones and also shared it with others outside the company in a stolen cell phone-trafficking scheme.

»Two years after U.S. Rep. Zoe Lofgren, D-Calif., introduced legislation to overhaul outdated provisions of the Computer Fraud and Abuse Act (CFAA),“Aaron’s Law” returned to the docket in Congress. Lofgren introduced the bill to deter the CFAA from being used by overzealous prosecutors, as was the case with Aaron Swartz, a 24-year-old Harvard researcher and internet activist who faced computer intrusion, fraud and data theft charges, prior to his January 2013 suicide. As it currently stands, the CFAA could potentially jail computer users who violate a website’s terms of service or employer agreement. Lofgren, however, aims to alter the definition of “access without authorization” in the legislation to refocus efforts away from “common computer and internet activities” to “truly malicious hackers and bad actors,” who purposefully send fraudulent emails or spread malware to users, for instance.

»In its annual Data Breach Investigations Report, Verizon introduced a new model for estimating loss as a result of breaches. The report, which analyzed incidents from Verizon’s own breach investigations along with those reported by 70 contributing organizations, found that 79,790 security incidents occurred in 2014, while 2,122 confirmed data breaches took place. Using its new breach cost model, Verizon tallied the average cost of compromised records for a wider range of records (as opposed to estimating the average cost per compromised record, as reports have done). Under the model, the company determined that the expected loss associated with 100,000 disclosed records was $474,600; while the expected cost of one million disclosed records would be more than $1.2 million for an organization.

»Analysts discovered a multi-platform remote access trojan (RAT), dubbed “AlienSpy,” which hackers used to target end-users around the globe, as well as enterprises in the technology, financial services, government and energy sectors. General Dynamics’ Fidelis Threat Research Team, which observed phishing emails containing the RAT targeting its customer base, noted that AlienSpy appeared to be a new-and-improved version of another RAT, named Frutas, which has also been called Adwind RAT and Unrecom RAT over the course of its evolution. Of note, AlienSpy can infect devices running Windows, Linux, Mac OS X and even the Android mobile operating system.

»Researchers at High-Tech Bridge have identified a new attack method by hackers, dubbed a “drive-by-login” attack, in which threat actors target a specific visitor to an infected website. Used to allow saboteurs to leverage a vulnerability in the website and install a backdoor on the target’s systems, the attack differs from traditional “drive-by download” attacks, which typically prey on any unsuspecting visitor to a compromised site. In April, when the attack was uncovered, High-Tech Bridge CEO Ilia Kolochenko told SC that drive-by-logins could feasibly replace phishing as attackers’ preferred method of infection, though it seemed more likely to be used in advanced persistent threat (APT) campaigns.